Bug 200562
| Summary: | [patch] japanese/mailman: seems to be affeted by CVE-2015-2775 also | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Yasuhito FUTATSUKI <freebsd-bug-report-yf> | ||||||
| Component: | Individual Port(s) | Assignee: | Xin LI <delphij> | ||||||
| Status: | Closed FIXED | ||||||||
| Severity: | Affects Some People | CC: | delphij, freebsd-bug-report-yf, ports-secteam, tota | ||||||
| Priority: | --- | Keywords: | patch | ||||||
| Version: | Latest | Flags: | bugzilla:
maintainer-feedback?
(tota) |
||||||
| Hardware: | Any | ||||||||
| OS: | Any | ||||||||
| Attachments: |
|
||||||||
|
Description
Yasuhito FUTATSUKI
2015-06-01 05:57:01 UTC
Please see also, https://bugs.launchpad.net/mailman/+bug/1437145 A commit references this bug: Author: delphij Date: Wed Jun 17 00:44:49 UTC 2015 New revision: 389895 URL: https://svnweb.freebsd.org/changeset/ports/389895 Log: Apply patch for CVE-2015-2775. PR: ports/200562 Submitted by: Yasuhito FUTATSUKI <freebsd-bug-report-yf yf bsdclub org> Approved by: maintainer timeout Changes: head/japanese/mailman/Makefile head/japanese/mailman/files/patch-CVE-2015-2775 Patch applied against -HEAD. What's the main differences between this port and mail/mailman? Will it be possible that we upstream the improvements and just remove this port? Created attachment 157830 [details]
patch to security/vuxml/vuln.xml
Should we modify vuln.xml in security/vuxml to add ja-mailman and Merge From Head 2015Q2? (In reply to Xin LI from comment #3) No. Read pkg-descr in japanese/mailman in detail. Comment on attachment 157322 [details] patch to fix CVE-2015-2775 >--- Mailman/Utils.py.orig 2011-12-11 16:56:23.000000000 +0900 >+++ Mailman/Utils.py 2015-06-01 13:25:26.000000000 +0900 >@@ -93,6 +93,12 @@ > # > # The former two are for 2.1alpha3 and beyond, while the latter two are > # for all earlier versions. >+ # >+ # But first ensure the list name doesn't contain a path traversal >+ # attack. >+ if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', listname)) > 0: >+ syslog('mischief', 'Hostile listname: %s', listname) >+ return False > basepath = Site.get_listpath(listname) > for ext in ('.pck', '.pck.last', '.db', '.db.last'): > dbfile = os.path.join(basepath, 'config' + ext) A commit references this bug: Author: delphij Date: Wed Jun 17 17:21:19 UTC 2015 New revision: 389950 URL: https://svnweb.freebsd.org/changeset/ports/389950 Log: MFH: r389895 (requested by tato@) Apply patch for CVE-2015-2775. PR: ports/200562 Submitted by: Yasuhito FUTATSUKI <freebsd-bug-report-yf yf bsdclub org> Approved by: ports-secteam@ Changes: _U branches/2015Q2/ branches/2015Q2/japanese/mailman/Makefile branches/2015Q2/japanese/mailman/files/patch-CVE-2015-2775 (In reply to TAKATSU Tomonari from comment #4) Committed, thanks! (Sorry I gets confused and should have credited you instead). (In reply to TAKATSU Tomonari from comment #5) The MFH was done in r389950 and thanks for reminding. Note that since this is a patch-only security fix, you can actually use the ports-secteam@ blanket to merge it to the quarterly branch next time. (In reply to TAKATSU Tomonari from comment #6) I see, thanks for the clarification! |
